Summary of the invention
According to an aspect of the present invention, it is provided that a kind of method of buffer overflow detecting executable file, including:
Analyze the original entrance of original document;
Analyzing the instruction calling function in original document, record calls the address of the instruction of function;
Original document is injected in the address of the original entrance of described original document and the instruction calling function, obtains being protected
The executable file protected;
When described shielded executable file runs, according to the original entrance of the described original document of record, in institute
State and access breakpoint is set at the original entrance of original document;
After described shielded executable file runs to the original entrance of described original document, according to described record
The address of the instruction calling function, at the address of instruction calling function, access breakpoint is set;
After breakpoint setup completes at above-mentioned two, control the operation of described shielded executable file, and record function
The address that after intended return address and function call complete before called, reality returns;
The ground that after intended return address and function call complete before relatively the function of described record is called, reality returns
Location;
If the two is different, then it is assumed that there is buffer overflow, software is out of service;
If the two is identical, continue to run with software.
According to an aspect of the present invention, the ground of the instruction that Article 1 performs when described original entrance is running software
Location.
According to an aspect of the present invention, described injection is directed to the code that original document interpolation is extra.
According to an aspect of the present invention, the extra code of described interpolation is to increase a new section to original document,
Module and the data of increase are injected into new section in the form of binary data.
According to another aspect of the present invention, it is provided that the system of a kind of buffer overflow detecting executable file, including:
Debugger module, instruction analysis module, overflow check module, file link module;
Described debugger module, for controlling the execution process of executable file, and it is called front intended to record function
Return address, and function call complete after the actual address returned;
Described instruction analysis module, for analyzing the original entrance in described executable file, records original entrance,
Analyzing the instruction calling function, record calls the address of function instruction;
Described overflow check module, by analyze the function of debugger module record called before intended return address and
Function call is the actual address returned after completing, if the two is different, then it is assumed that there is buffer overflow, software is out of service;
If the two is identical, then continue to run with software;
Described file link module, for the address by the original entrance of described original document and the instruction calling function
Inject original document.
The method provided according to the present invention, acquired has the beneficial effects that: first prejudge letter before function is called
Number perform after the address that should return, after function is finished, actual return address after being finished of discriminant function, compares
The return address prejudged and the actual address returned judge whether to there occurs buffer overflow, substantially increase software
Safety.
Detailed description of the invention
For making the purpose of the present invention, technical scheme and advantage clearer, develop simultaneously embodiment referring to the drawings, right
The present invention further describes.
In view of this, the invention discloses and a kind of detect the method and system of buffer overflow in executable file.Buffering
The means that district overflows be data by meticulously structure (that is, data comprise the binary machine code of the instruction of needs execution, than
As opened a command Window, or download the code of Malware specifying address) flood the return address of function, thus control
The execution authority of processing procedure sequence, therefore the present invention first prejudges the address that should return after function performs before function is called,
After after function is finished, discriminant function is finished, the actual address returned, compares the return address and reality prejudged
The address returned, if two address difference, then it is assumed that there occurs buffer overflow, software would be out of service;If two addresses
Identical, then software continues to run with, and the method increases the safety of software.
According to an embodiment of the invention, as shown in Figure 1, 2, it is provided that a kind of relief area detecting executable file
The method overflowed, specifically includes:
1. analyzed the original entrance of original document by instruction analysis module, wherein, original entrance refers to that program is transported
The address of the instruction that Article 1 performs during row, and carry out record.Wherein, according to an embodiment of the invention, described original
Entrance records in global variable, in case follow-up use.
2. instruction analysis module calls the instruction of function in analyzing original document, and record calls the address of the instruction of function.
Wherein, according to an embodiment of the invention, by described address record in the internal memory of distribution.
3. the original document that debugger module, overflow check module and instruction analysis module are analyzed by file link module
Original entrance, and call the address injection original document of the instruction of function.Wherein, according to an embodiment of the invention,
Inject and be directed to the code that original document interpolation is extra, such as, increase a new section to original document, the module that will increase
New section it is injected in the form of binary data with data.
4., time as in figure 2 it is shown, executable file after Bao Hu runs, debugger module is according to instruction analysis module record
Original entrance, arranges access breakpoint at original entrance, after running to original entrance, according to instruction analysis module record
The address of the instruction calling function, access breakpoint is set at the address of instruction calling function, after breakpoint setup completes, adjusts
Examination device module controls the operation of executable file, and records called front intended return address (wherein, the function expection of function
Return address can be so that stack to get, after entering invoked function, namely enter call instruction operand address after, be
Function return addresses can be pressed in stack by system) and function call complete after the actual address returned.Wherein, according to the one of the present invention
Individual embodiment, the function that the return address of function can be called by debugger module single step run gets, invoked function
Perform the return address that address is function after ret instruction.
5., by overflow check module, analyze the expectating address of the function return of record and actual return address, if two
Person is different, then it is assumed that there is buffer overflow, software is out of service;If the two is identical, continue to run with software.
According to an embodiment of the invention, it is provided that the system of a kind of buffer overflow detecting executable file,
Specifically include:
Debugger module, instruction analysis module, overflow check module, file link module.
Described instruction analysis module, for analyzing the original entrance in executable file, records original entrance, analyzes
Going out to call the instruction of function, record calls the address of function instruction.Wherein, original entrance refers to that when program is run, Article 1 performs
The address of instruction.
Described debugger module, for controlling the execution process of executable file, and it is called front intended to record function
Return address, and function call complete after the actual address returned.
Described overflow check module, by analyzing expectating address and the actual return that the function of debugger module record returns
Address, if the two is different, then it is assumed that there is buffer overflow, software is out of service;If the two is identical, then continue to run with soft
Part.
Described file link module, for by debugger module, overflow check module, the original entrance of original document and
Original document is injected in the address of the instruction calling function.
According to an embodiment of the invention, an embodiment is given below so that the present invention to be described.
This embodiment, as a example by the PE file of lower 32 of Microsoft's Windows system, describes according to the application one concrete
Embodiment realizes the detailed process of executable file protection.
As it is shown on figure 3, PE file be program file in Microsoft's Windows operating system (can indirectly be performed, as
DLL).PE file is referred to as the full name that transplantable execution body is Portable Execute, common EXE, DLL, OCX,
SYS, COM are PE files.PE file structure is as it is shown on figure 3, mainly include section (Section), sector table (Section
Table), PE head (PE Header) and DOS head (DOS Header).The specific definition of PE file various piece see
The Online Help of Microsoft's windows system, does not do too much introduction at this.
Below with to notepad notepad.exe, version number is 5.1, says as a example by adding buffer overflow inspection
Bright.
Instruction analysis module, finds IMAGE_NT_HEADER number according to the e_lfanew in the DOS Header of PE file
According to structure, find in file according to the NumberOfsections in the IMAGE_FILE_HEADER in IMAGE_NT_HEADER
The number of block table, in notepad, the number of sector table is 3, according to the data structure in IMAGE_NT_HEADER
ImageBase in IMAGE_OPTIONAL_HEADER32 finds the acquiescence load address of executable file, the loading of notepad
Address is 0x01000000, according in data structure IMAGE_OPTIONAL_HEADER32 in IMAGE_NT_HEADER
AddressOfEntryPoint finds the original entrance of executable file, the relative virtual ground of the original entrance of notepad
Location is 0x0000739D, and address is 0x0100739D, is recorded in global variable original entrance, IMAGE_FILE_
It is block table after HEADER, whether comprises according in the Characteristics in IMAGE_SECTION_HEADER
IMAGE_SCN_CNT_CODE judges whether it is code segment, and the .text in notepad is code segment, according in code segment
Instruction is analyzed by VirtualAddress and VirtualSize, the VirtualAddress value of code segment in notepad
It is 0x00007748 for 0x00001000, VirtualSize value, if the machine code of instruction is " call ", records this instruction institute
Address, the address of first call of notepad instruction is 0x010073A4, instructs as call 01007568.By code segment
All of call instruction address carries out record, records in the internal memory of distribution.
File link module, a newly-increased new section in the sector table in notepad, by debugger module, overflows inspection
The address looking into module, the original entrance of original document and the instruction of calling function is saved in newly-increased section, revises new file
Original entrance and the number of block table, reach inject original document purpose, for run time, be configured to new literary composition
Part.
During running paper after protection, specifically comprise the following steps that
Debugger module calls SetBreakPoint function, the original entrance of the notepad after protection
Breakpoint is set at 0x0100739D.
0x0100739D at the original entrance that debugger module commissioning test notepad arrives.
Debugger module at the address of access function under access breakpoint, as called the address of function in Article 1
Lower breakpoint at SetBreakPoint is called at 010073A4.
Debugger module runs program, runs to 0x010073A4 at access function address, and the instruction at this address is
Call 01007568, intended return address before record function is called, debugger continues single step to be followed the tracks of at 0x10007568
Code, can from stack (according to an embodiment of the invention, stack herein be storage local variable and carry out function call must
Indispensable contiguous memory region, the code that stack space is produced by compiler automatically distributes and discharges.Space requirement on heap by
Programming personnel's application and release) in obtain the expection return address of function be 0x010073A9, after function call completes, record is real
The address that border returns.
Overflow check module by analyze debugger module record function return expectating address and actual return address,
If difference, thinking and there is buffer overflow, software is out of service, if identical, continues to run with software.
The foregoing is only presently preferred embodiments of the present invention, be not intended to limit protection scope of the present invention.All
Within the spirit and principles in the present invention, any amendment, equivalent and the improvement etc. made, should be included in the guarantor of the present invention
Within the scope of protecting.